Q: How do I register my YubiKey for use with Duo 2FA?

How can I register my hardware token for use with Duo?

Can I use a hardware token with Duo 2FA?

Context

You can use a Yubikey USB hardware token to generate a One Time Passcode (OTP) for use with Duo. This is useful if you don't have a smartphone, prefer a physical token for your second factor, or as a secondary backup option in case you don't have access to your phone.

If you would like to request a Yubikey, please submit the Yubikey Request Form. YubiKeys will be available for pick up at the IS&T Service Desk in E17-106, 40 Ames Street.

Configuring the Yubikey hardware token

The following steps will erase and reconfigure your Yubikey. If you received a new Yubikey from IS&T, it is safe to follow the steps. If you already had your own Yubikey and were using it for non-MIT services, be aware that erasing and reconfiguring your Yubikey will probably make it stop working for your other services. For safety we recommend getting a new Yubikey from IS&T.

It should be possible to use a single Yubikey for multiple services if you:

IS&T does not support the above steps, and will not be able to help if things don't work. Using a single Yubikey with multiple services (MIT/Duo and non-MIT/Yubico) weakens the security of the key. IS&T recommends getting a dedicated Yubikey for MIT/Duo logins.

Registering it with Duo Two-Factor authentication

Once signed in, click on Register a new hardware token.Result: You are brought to the registration page.

Make sure the appropriate token type is selected. For any model YubiKey, select Yubikey.

Enter (copy & paste) the Serial Number (in Decimal format), Private Identity, and Secret Key you generated when configuring your Yubikey and select Submit.Result: You will be returned to the Duo settings page with a message saying the enrollment was successful.
You can now test your hardware token by authenticating to an MIT service..

Troubleshooting

If you repeatedly get the error "Invalid Yubikey private ID or secret key." when attempting to register a YubiKey, you might inadvertently have two configurations set up in your YubiKey and be triggering the wrong one during verification. Recent models of YubiKeys can store two configurations: you trigger the first by a short press of 0.3-1.5 seconds, and you trigger the second by a long press of 2.5-5 seconds. YubiKeys are easier to use if only configuration 1 is set up, so you should delete configuration 2 if you are certain that nothing else needs it.